github-repos/wget
1
0
Fork 0
mirror of https://github.com/mirror/wget.git synced 2025-03-29 13:30:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow in CSS parser

Browse Source 
* src/css-url.c (get_urls_css): Check input string length
* fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240:
  Add reproducer corpus

Fixes OSS-Fuzz issue #8032.
This is a long standing bug affecting all versions <= 1.19.4.
This commit is contained in:
Tim Rühsen 2018-04-26 21:25:02 +02:00
parent acfd9b4d56
commit cb47f3aaa4
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240 Normal file
View File

@ -0,0 +1 @@
@import

4
src/css-url.c
View File

@ -143,7 +143,7 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length)
{ {
uri = get_uri_string (ctx->text, &pos, &length); uri = get_uri_string (ctx->text, &pos, &length);
} }
else else if (length >= 2)
{ {
/* cut out quote characters */ /* cut out quote characters */
pos++; pos++;
@ -152,6 +152,8 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length)
memcpy (uri, yytext + 1, length); memcpy (uri, yytext + 1, length);
uri[length] = '\0'; uri[length] = '\0';
} }
else
uri = NULL;
if (uri) if (uri)
{ {